25 replies to this topic

[eilatan]

I am getting network cabble unpugged flashing on and off on my windows xp. Also I cannot run cmd. exe anymore. I have ran malywarebytes but does not pick anything up. Please can anybody help as I have read various forums and these problems indicate a virus.  mbam_log_2009_09_05__12_10_54_.txt   968bytes   33 downloads

[miekiemoes]

Well, I'm pretty sure you're dealing with malware here. This is normal when you use cracks and keygens as is shown in your mbam report.

Anyway do next please...

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingc...to-use-combofix

Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.

[eilatan]

miekiemoes, on Sep 5 2009, 02:55 PM, said:

Well, I'm pretty sure you're dealing with malware here. This is normal when you use cracks and keygens as is shown in your mbam report.

Anyway do next please...

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingc...to-use-combofix

Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.

I am unable to install comboFix

[miekiemoes]

Please give more info, because "unable to install" is so general. Can't you download? Can't you install because of an error? Can you install, but it won't run? Can you install but it will only run for a few seconds etc etc...

Thanks.

[eilatan]

miekiemoes, on Sep 5 2009, 05:05 PM, said:

Please give more info, because "unable to install" is so general. Can't you download? Can't you install because of an error? Can you install, but it won't run? Can you install but it will only run for a few seconds etc etc...

Thanks.

Sorry I can download but it stars to install and then goes off. I have also tried to re name

[miekiemoes]

Ok, please delete the file and try this method:

NOTE - it HAS to be renamed before you actually save it on your desktop.

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

• If you are using Firefox, make sure that your download settings are as follows:
  
  • Tools->Options->Main tab
    
  • Set to "Always ask me where to Save the files".
• During the download, rename Combofix to Combo-Fix as follows:
  
  
  
  
  
  
  
• It is important you rename Combofix during the download, but not after.
  
• Please do not rename Combofix to other names, but only to the one indicated.
  
• Close any open browsers.
  
• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  

  -----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    

    -----------------------------------------------------------

  • Close any open browsers.
    
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

  -----------------------------------------------------------

• Double click on combo-Fix.exe & follow the prompts.
  
• When finished, it will produce a report for you.
  
• Please post the "C:\Combo-Fix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

If you still cannot get this to run, try booting into Safe Mode, and run it there.

To boot into Safe Mode, tap F8 after BIOS, and just before the Windows logo appears. A list of options will appear, select "Safe Mode."

If this doesn't work either, try the same method (above method), but name Combofix.exe to iexplore.exe instead, or winlogon.exe..
This because It also happens in some cases that malware blocks EVERY process except for what is in its own whitelist, so this whitelist also includes system important processes such as iexplore.exe, explorer.exe, winlogon.exe...

[eilatan]

miekiemoes, on Sep 5 2009, 06:43 PM, said:

Ok, please delete the file and try this method:

NOTE - it HAS to be renamed before you actually save it on your desktop.

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

• If you are using Firefox, make sure that your download settings are as follows:
  
  • Tools->Options->Main tab
    
  • Set to "Always ask me where to Save the files".
• During the download, rename Combofix to Combo-Fix as follows:
  
  
  
  
  
  
  
• It is important you rename Combofix during the download, but not after.
  
• Please do not rename Combofix to other names, but only to the one indicated.
  
• Close any open browsers.
  
• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  

  -----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    

    -----------------------------------------------------------

  • Close any open browsers.
    
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

  -----------------------------------------------------------

• Double click on combo-Fix.exe & follow the prompts.
  
• When finished, it will produce a report for you.
  
• Please post the "C:\Combo-Fix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

If you still cannot get this to run, try booting into Safe Mode, and run it there.

To boot into Safe Mode, tap F8 after BIOS, and just before the Windows logo appears. A list of options will appear, select "Safe Mode."

If this doesn't work either, try the same method (above method), but name Combofix.exe to iexplore.exe instead, or winlogon.exe..
This because It also happens in some cases that malware blocks EVERY process except for what is in its own whitelist, so this whitelist also includes system important processes such as iexplore.exe, explorer.exe, winlogon.exe...

Still wont install

[miekiemoes]

Still strange that Malwarebytes runs..

Anyway, Please download DDS and save it to your desktop.

• Disable any script blocking protection
  
• Double click dds.scr to run the tool.
  
• When done, DDS.txt will open.
  
• Click Yes at the next prompt for Optional Scan.
  
• Save both reports to your desktop.

---------------------------------------------------

Copy and paste the contents of DDS.txt in your next reply. Do not copy and paste the contents of Attach.txt, but attach it to your reply instead.

[eilatan]

miekiemoes, on Sep 5 2009, 06:56 PM, said:

Still strange that Malwarebytes runs..

Anyway, Please download DDS and save it to your desktop.

• Disable any script blocking protection
  
• Double click dds.scr to run the tool.
  
• When done, DDS.txt will open.
  
• Click Yes at the next prompt for Optional Scan.
  
• Save both reports to your desktop.

---------------------------------------------------

Copy and paste the contents of DDS.txt in your next reply. Do not copy and paste the contents of Attach.txt, but attach it to your reply instead.

have downloaded to desk top when I run it I get a error message windows cannot find cmd

[miekiemoes]

Please do me a favor and look if the file C:\Windows\system32\cmd.exe is present.
If so, doubleclick and let me know if you get an error then. If you get an error, let me know which one.
This to figure out what is causing this, because there could be several reasons..:

1) cmd.exe indeed missing
2) Comspec variables corrupted (although Combofix should fix that, either way)
3) Permission issue

[eilatan]

miekiemoes, on Sep 5 2009, 08:03 PM, said:

Please do me a favor and look if the file C:\Windows\system32\cmd.exe is present.
If so, doubleclick and let me know if you get an error then. If you get an error, let me know which one.
This to figure out what is causing this, because there could be several reasons..:

1) cmd.exe indeed missing
2) Comspec variables corrupted (although Combofix should fix that, either way)
3) Permission issue

CMD.exe is missing

[eilatan]

eilatan, on Sep 5 2009, 11:13 PM, said:

CMD.exe is missing

hijackthis report enclosed

Attached Files

•  hijackthis.txt   10.8K   12 downloads

[eilatan]

eilatan, on Sep 5 2009, 11:21 PM, said:

hijackthis report enclosed

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:18:41, on 05/09/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe
C:\Program Files\BT Broadband Desktop Help\btbb_wcm\McciTrayApp.exe
C:\Program Files\thinkbroadband.com\tbbMeter\tbbmeter.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\REALTEK\8192U Wireless LAN Utility\RtWLan.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\WISPTIS.EXE
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\isposure\IsposureAgent.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qgb9.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qgb9.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/customi...fo/bt_side.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.red.clientapps.yahoo.com/customi...arch.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://bt.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://uk.red.clientapps.yahoo.com/customi...arch.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/customi...fo/bt_side.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.red.clientapps.yahoo.com/customi...arch.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.clientapps.yahoo.com/customi...arch.yahoo.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl Class - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [btbb_McciTrayApp] "C:\Program Files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe"
O4 - HKLM\..\Run: [btbb_wcm_McciTrayApp] "C:\Program Files\BT Broadband Desktop Help\btbb_wcm\McciTrayApp.exe"
O4 - HKLM\..\Run: [tbbMeter] C:\Program Files\thinkbroadband.com\tbbMeter\tbbmeter.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [EPSON Stylus Photo R265 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBNE.EXE /FU "C:\DOCUME~1\Owner\LOCALS~1\Temp\E_S14.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [Shockwave Updater] C:\WINDOWS\system32\Adobe\SHOCKW~1\SWHELP~1.EXE -Update -1103472 -"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)" -"http://data.i-spelen.nl/games/aliasrunner.dcr"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - .DEFAULT User Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O4 - Global Startup: REALTEK RTL8192U Wireless LAN Utility.lnk = C:\Program Files\REALTEK\8192U Wireless LAN Utility\RtWLan.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.liv...m/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1216400664593
O16 - DPF: {71057C18-0507-4747-86BC-E11CE7512C5F} (mailhelper Class) - https://register.btinternet.com/templates/b...lcontrol013.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://help.broadbandassist.com/bbdesktop/...tivePreQual.cab
O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} (webhelper Class) - https://register.btinternet.com/templates/b...bcontrol028.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\570\G2AWinLogon.dll
O23 - Service: EPSON V3 Service4(01) (EPSON_PM_RPCV4_01) - SEIKO EPSON CORPORATION - C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.EXE
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\570\g2aservice.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IsposureAgent (isposure_svc) - Epitiro Ltd. - C:\Program Files\isposure\IsposureAgent.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TomTomHOMEService - TomTom - C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe

--
End of file - 11057 bytes

[miekiemoes]

Quote

CMD.exe is missing

Well, in that case, you need to replace it again.

Let's see if there are any other instances of cmd.exe present we can use to replace..

Download FileFind by Atribune.
Unzip it.

* Double click on FileFind.exe to open the program.
* Enter cmd.exe into the File: box.
* Click on the Search button.
* After a while a list of file locations will appear in the List of Files: box.
* Click on the Export button.

[eilatan]

miekiemoes, on Sep 6 2009, 08:26 AM, said:

Well, in that case, you need to replace it again.

Let's see if there are any other instances of cmd.exe present we can use to replace..

Download FileFind by Atribune.
Unzip it.

* Double click on FileFind.exe to open the program.
* Enter cmd.exe into the File: box.
* Click on the Search button.
* After a while a list of file locations will appear in the List of Files: box.
* Click on the Export button.

C:\WINDOWS\$NtServicePackUninstall$\cmd.exe - 388608 Bytes
C:\WINDOWS\ServicePackFiles\i386\cmd.exe - 389120 Bytes
C:\WINDOWS\system32\dllcache\cmd.exe - 389120 Bytes

[miekiemoes]

Hi,

Navigate to your C:\WINDOWS\system32\dllcache folder and COPY the cmd.exe present there to your C:\Windows\system32 folder

Then run Combofix again.

[eilatan]

miekiemoes, on Sep 6 2009, 08:57 AM, said:

Hi,

Navigate to your C:\WINDOWS\system32\dllcache folder and COPY the cmd.exe present there to your C:\Windows\system32 folder

Then run Combofix again.

Combofix starts to run but says AVG 7.5 scanner is active. I no longer have AVG on system ans when I try to install AVG 8.5 is says that 7.5 in installed.

Can I still run combofix

[miekiemoes]

I don't see any references of AVG in your log though.. so it's not running here, so it cant interfere either. That's why, yes, please proceed with the scan

[eilatan]

miekiemoes, on Sep 6 2009, 09:29 AM, said:

I don't see any references of AVG in your log though.. so it's not running here, so it cant interfere either. That's why, yes, please proceed with the scan

log file enclosed

Attached Files

•  log.txt   20.68K   11 downloads

[eilatan]

eilatan, on Sep 6 2009, 10:17 AM, said:

log file enclosed

ComboFix 09-09-05.02 - Owner 06/09/2009 9:44.1.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.447.193 [GMT 1:00]
Running from: c:\documents and settings\Owner\Desktop\Combo-Fix.exe
AV: AVG 7.5.557 *On-access scanning enabled* (Updated) {41564737-3200-1071-989B-0000E87B4FB1}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Owner\Local Settings\Temporary Internet Files\mcc107.tmp
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\mcc126.tmp
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\mcc127.tmp
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\mcc12F.tmp
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\mcc13E.tmp
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\mcc15F.tmp
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\mcc180.tmp
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\mcc19E.tmp
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\mcc1C5.tmp
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\mcc1DA.tmp
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\mcc1F7.tmp
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\mcc25.tmp
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\mcc255.tmp
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\mcc2C8.tmp
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\mcc324.tmp
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\mcc32B.tmp
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\mcc3BC.tmp
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\mcc3ED.tmp
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\mcc57A.tmp
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\mcc5F0.tmp
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\mcc6A0.tmp
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\mcc81.tmp
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\mcc8246.tmp
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\mcc82B5.tmp
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\mcc8C.tmp
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\mccB.tmp
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\mccB4.tmp
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\mccBD.tmp
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\mccC.tmp
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\mccC2.tmp
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\mccC9.tmp
c:\documents and settings\Owner\Owner.exe
c:\windows\Installer\13176.msi
c:\windows\Installer\18a171b.msp
c:\windows\Installer\18a1734.msp
c:\windows\Installer\18a174b.msp
c:\windows\Installer\18a1762.msp
c:\windows\Installer\d573e44.msp
c:\windows\Installer\d573e45.msp
c:\windows\Installer\d573e46.msp
c:\windows\Installer\d573e47.msp
c:\windows\Installer\d573e48.msp
c:\windows\Installer\d573e49.msp
c:\windows\Installer\d573e4a.msp
c:\windows\Installer\d573e4b.msp
c:\windows\Installer\d573e4c.msp
c:\windows\Installer\d573e4d.msp
c:\windows\system32\iAlmcoin.dll
c:\windows\system32\ps2.bat
c:\windows\system32\UACgxkwklbunvdkmqihy.db
c:\windows\system32\uactmp.db
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_UACd.sys
-------\Service_UACd.sys


((((((((((((((((((((((((( Files Created from 2009-08-06 to 2009-09-06 )))))))))))))))))))))))))))))))
.

2009-09-06 08:05 . 2008-04-14 00:12 389120 -c--a-w- c:\windows\system32\dllcache\cmd.exe
2009-09-06 08:05 . 2008-04-14 00:12 389120 ----a-w- c:\windows\system32\cmd.exe
2009-08-29 07:36 . 2009-08-29 07:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-29 07:36 . 2009-08-29 07:46 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-29 07:04 . 2009-08-03 12:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-29 07:04 . 2009-08-03 12:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-28 21:06 . 2009-08-28 21:06 -------- d-----w- c:\windows\system32\LogFiles
2009-08-28 20:59 . 2009-08-28 20:59 21035 ----a-w- c:\windows\system32\drivers\AegisP.sys
2009-08-28 20:59 . 2009-08-28 20:59 -------- d-----w- c:\windows\OPTIONS
2009-08-28 20:59 . 2008-05-20 12:58 414464 ----a-r- c:\windows\system32\drivers\RTL8192u.sys
2009-08-28 20:58 . 2009-08-28 20:58 -------- d-----w- c:\windows\system32\REALTEK RTL8192U Wireless LAN Driver and Utility
2009-08-28 20:58 . 2009-08-28 20:58 -------- d-----w- c:\program files\REALTEK
2009-08-28 20:46 . 2009-08-28 20:46 -------- d-----w- c:\windows\system32\wbem\Repository
2009-08-13 04:49 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll
2009-08-12 14:02 . 2009-09-06 08:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Epitiro
2009-08-12 14:02 . 2009-09-06 08:58 -------- d-----w- c:\program files\isposure
2009-08-12 14:01 . 2009-08-12 14:01 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-08-12 14:01 . 2009-08-12 14:01 -------- d-----w- c:\program files\thinkbroadband.com
2009-08-11 12:37 . 2009-08-11 12:37 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Downloaded Installations
2009-08-08 19:19 . 2009-08-08 19:20 -------- d-----w- C:\9c4111a773c9db393968dc4691
2009-08-08 19:18 . 2009-08-09 02:06 -------- d-----w- c:\windows\SxsCaPendDel
2009-08-07 19:55 . 2009-08-07 19:55 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Motive

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-05 09:00 . 2008-07-20 20:46 -------- d-----w- c:\documents and settings\Owner\Application Data\AdobeUM
2009-09-03 07:56 . 2008-07-18 12:22 -------- d-----w- c:\program files\EPSON Print CD
2009-09-01 20:49 . 2008-07-21 11:12 -------- d-----w- c:\documents and settings\Owner\Application Data\BitTorrent
2009-08-29 07:04 . 2009-04-29 07:53 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-28 20:58 . 2003-01-01 18:38 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-26 12:18 . 2008-08-17 14:04 -------- d-----w- c:\documents and settings\Owner\Application Data\ImgBurn
2009-08-26 11:38 . 2008-07-20 17:32 -------- d-----w- c:\program files\Google
2009-08-26 11:37 . 2009-07-26 15:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-08-26 07:48 . 2009-03-18 07:41 -------- d-----w- c:\documents and settings\Owner\Application Data\DVD Flick
2009-08-16 12:14 . 2008-07-18 18:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-08-12 14:02 . 2008-07-18 13:19 97184 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-05 09:01 . 2002-12-12 14:14 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-05 06:47 . 2008-09-06 15:20 -------- d-----w- c:\program files\Microsoft Silverlight
2009-08-04 20:59 . 2009-08-04 20:59 -------- d-----w- c:\program files\TomTom International B.V
2009-08-04 20:58 . 2008-11-03 07:59 -------- d-----w- c:\program files\TomTom HOME 2
2009-08-04 05:41 . 2008-09-16 21:04 -------- d-----w- c:\program files\Virtual Earth 3D
2009-08-03 15:46 . 2009-08-03 15:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Motive
2009-08-03 15:41 . 2008-12-22 16:19 -------- d-----w- c:\program files\Yahoo!
2009-08-03 15:41 . 2009-08-03 15:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2009-08-03 15:40 . 2009-08-03 15:40 -------- d-----w- c:\documents and settings\Owner\Application Data\Motive
2009-08-03 15:40 . 2009-08-03 15:39 -------- d-----w- c:\program files\BT Broadband Desktop Help
2009-08-03 15:39 . 2009-08-03 15:39 -------- d-----w- c:\program files\Common Files\Motive
2009-08-03 15:39 . 2009-08-03 15:39 -------- d-----w- c:\program files\Citrix
2009-08-03 15:37 . 2009-08-03 15:37 -------- d-----w- c:\program files\BTHomeHub
2009-07-19 15:34 . 2009-07-18 21:00 -------- d-----w- c:\program files\Codec Pack - All In 1
2009-07-19 15:34 . 2009-07-19 15:34 -------- d-----w- c:\program files\ffdshow
2009-07-17 21:24 . 2009-01-04 13:44 -------- d-----w- c:\documents and settings\Owner\Application Data\TeamViewer
2009-07-17 19:01 . 2003-01-01 08:32 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-12 12:35 . 2009-07-12 12:35 -------- d-----w- c:\program files\Trend Micro
2009-07-12 11:21 . 2003-01-01 18:01 233472 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-12 09:40 . 2009-07-12 09:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-07-12 09:39 . 2009-07-12 09:38 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}
2009-07-12 09:38 . 2009-07-12 09:38 -------- d-----w- c:\program files\Lavasoft
2009-07-12 09:19 . 2009-07-12 09:19 -------- d-----w- c:\documents and settings\Administrator.YOUR-V7OY5L24PG.000\Application Data\Malwarebytes
2009-07-12 08:42 . 2009-05-17 18:21 -------- d-----w- c:\program files\Hazard Perception 2003
2009-07-12 08:35 . 2008-08-01 13:46 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-07-12 07:39 . 2009-07-12 07:39 344 ----a-w- c:\documents and settings\Owner\QTFJMC.bat
2009-07-12 07:39 . 2009-07-12 07:39 85 ----a-w- C:\159.bat
2009-07-03 20:01 . 2009-07-03 20:01 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-07-03 17:09 . 2006-06-23 10:33 915456 ----a-w- c:\windows\system32\wininet.dll
2009-07-03 14:49 . 2009-07-12 09:40 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-07-03 14:49 . 2009-07-12 10:18 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-06-25 08:25 . 2005-06-15 17:50 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-25 08:25 . 2003-01-01 08:36 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2003-01-01 08:34 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2003-01-01 08:34 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:25 . 2003-01-01 08:34 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-25 08:25 . 2003-01-01 08:34 730112 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-24 11:18 . 2003-01-02 00:20 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-06-16 14:36 . 2003-01-01 08:35 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2003-01-01 08:33 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-12 12:31 . 2003-01-02 00:20 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 14:13 . 2003-01-01 08:32 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 08:19 . 2003-01-01 08:34 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-06-10 06:14 . 2003-01-01 08:36 132096 ----a-w- c:\windows\system32\wkssvc.dll
2008-07-18 12:05 . 2008-07-18 12:05 278528 ----a-w- c:\program files\Common Files\FDEUnInstaller.exe
2004-01-02 05:34 . 2008-07-18 19:52 0 --sha-w- c:\windows\SMINST\HPCD.SYS
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-25 39408]
"msnmsgr"="c:\program files\MSN Messenger\msnmsgr.exe" [2007-01-19 5674352]
"TomTomHOME.exe"="c:\program files\TomTom HOME 2\TomTomHOMERunner.exe" [2009-04-08 251240]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"btbb_McciTrayApp"="c:\program files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe" [2009-03-25 1548288]
"btbb_wcm_McciTrayApp"="c:\program files\BT Broadband Desktop Help\btbb_wcm\McciTrayApp.exe" [2009-03-25 1516032]
"tbbMeter"="c:\program files\thinkbroadband.com\tbbMeter\tbbmeter.exe" [2009-08-26 521736]

c:\documents and settings\Administrator.YOUR-V7OY5L24PG\Start Menu\Programs\Startup\
mod_sm.lnk - c:\hp\bin\cloaker.exe [1999-11-7 27136]

c:\documents and settings\Administrator.YOUR-V7OY5L24PG.000\Start Menu\Programs\Startup\
mod_sm.lnk - c:\hp\bin\cloaker.exe [1999-11-7 27136]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
REALTEK RTL8192U Wireless LAN Utility.lnk - c:\program files\REALTEK\8192U Wireless LAN Utility\RtWLan.exe [2009-8-28 868352]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2009-08-03 15:39 16680 ----a-w- c:\program files\Citrix\GoToAssist\570\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Exif Launcher.lnk]
backup=c:\windows\pss\Exif Launcher.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^IM-me.lnk]
backup=c:\windows\pss\IM-me.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechCommunicationsManager
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Stupid Data Dart Wave
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Warn Jugs

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"gusvc"=2 (0x2)
"gupdate1c9f4e4c6d8156"=2 (0x2)
"AVGEMS"=2 (0x2)
"Avg7UpdSvc"=2 (0x2)
"Avg7Alrt"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Program Files\\TeamViewer\\Version4\\TeamViewer.exe"=
"c:\\Program Files\\Sony Ericsson\\Update Service\\Update Service.exe"=
"c:\\Program Files\\BT Broadband Desktop Help\\btbb\\BTHelpBrowser.exe"=
"c:\\Program Files\\BT Broadband Desktop Help\\btbb\\BTHelpNotifier.exe"=
"c:\\Program Files\\REALTEK\\8192U Wireless LAN Utility\\RtWLan.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1542:TCP"= 1542:TCP:Realtek WPS TCP Prot
"1542:UDP"= 1542:UDP:Realtek WPS UDP Prot

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [12/07/2009 10:40 64160]
R2 isposure_svc;IsposureAgent;c:\program files\isposure\IsposureAgent.exe [23/10/2008 08:43 761856]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [03/07/2009 15:49 1029456]
R3 S3U10Scanner;600 CU Still Image Device Service;c:\windows\system32\drivers\UsbScan.sys [18/07/2008 20:53 15104]
S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\aspi32.sys [01/08/2008 14:29 16512]
S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [11/01/2009 18:12 10976]
S3 RTL8192u;Realtek RTL8192U Wireless LAN 802.11n USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8192u.sys [28/08/2009 21:59 414464]
S3 s816bus;Sony Ericsson Device 816 driver (WDM);c:\windows\system32\drivers\s816bus.sys [25/12/2008 11:44 81832]
S3 s816mdfl;Sony Ericsson Device 816 USB WMC Modem Filter;c:\windows\system32\drivers\s816mdfl.sys [25/12/2008 11:44 13864]
S3 s816mdm;Sony Ericsson Device 816 USB WMC Modem Driver;c:\windows\system32\drivers\s816mdm.sys [25/12/2008 11:44 107304]
S3 s816mgmt;Sony Ericsson Device 816 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s816mgmt.sys [25/12/2008 11:44 99112]
S3 s816nd5;Sony Ericsson Device 816 USB Ethernet Emulation SEMCMR7 (NDIS);c:\windows\system32\drivers\s816nd5.sys [25/12/2008 11:44 21928]
S3 s816obex;Sony Ericsson Device 816 USB WMC OBEX Interface;c:\windows\system32\drivers\s816obex.sys [25/12/2008 11:44 97320]
S3 s816unic;Sony Ericsson Device 816 USB Ethernet Emulation SEMCMR7 (WDM);c:\windows\system32\drivers\s816unic.sys [25/12/2008 11:44 97704]
S4 gupdate1c9f4e4c6d8156;Google Update Service (gupdate1c9f4e4c6d8156);c:\program files\Google\Update\GoogleUpdate.exe [24/06/2009 16:54 133104]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-08-31 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-07-03 14:49]

2009-09-06 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2006-09-27 16:39]

2009-09-06 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-07-20 15:48]

2009-09-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-24 15:54]

2009-09-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-24 15:54]
.
- - - - ORPHANS REMOVED - - - -

HKU-Default-Run-AVG7_Run - c:\progra~1\Grisoft\AVG7\avgw.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://bt.yahoo.com
uDefault_Search_URL = hxxp://srch-qgb9.hpwis.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - http://favorites.liv...m/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
DPF: {71057C18-0507-4747-86BC-E11CE7512C5F} - hxxps://register.btinternet.com/templates/btmailcontrol013.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-06 09:57
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(716)
c:\program files\Citrix\GoToAssist\570\G2AWinLogon.dll

- - - - - - - > 'explorer.exe'(3868)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\documents and settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\windows\system32\nvsvc32.exe
c:\program files\TomTom HOME 2\TomTomHOMEService.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
.
**************************************************************************
.
Completion time: 2009-09-06 10:07 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-06 09:06

Pre-Run: 21,065,994,240 bytes free
Post-Run: 21,046,419,456 bytes free

289 --- E O F --- 2009-09-01 20:52